6:01 p.m.
The tomcat.conf and pkideployment.cfg have been modified to enable
the security manager. The catalina.policy has been updated with
more specific permissions for PKI.
Ticket #223
--
Endi S. Dewata
5:07 p.m.
On 10/3/2012 6:01 PM, Endi Sukma Dewata wrote:
The tomcat.conf and pkideployment.cfg have been modified to enable
the security manager. The catalina.policy has been updated with
more specific permissions for PKI.
Ticket #223
New patch attached. It will now combine the default Tomcat policy with
PKI standard policy and custom policy.
--
Endi S. Dewata
9:29 p.m.
On 10/22/2012 5:07 PM, Endi Sukma Dewata wrote:
On 10/3/2012 6:01 PM, Endi Sukma Dewata wrote:
> The tomcat.conf and pkideployment.cfg have been modified to enable
> the security manager. The catalina.policy has been updated with
> more specific permissions for PKI.
>
> Ticket #223
New patch attached. It will now combine the default Tomcat policy with
PKI standard policy and custom policy.
New patch attached. It fixes pki.policy and the code to generate
catalina.policy.
--
Endi S. Dewata
9:39 p.m.
On 10/25/12 19:29, Endi Sukma Dewata wrote:
On 10/22/2012 5:07 PM, Endi Sukma Dewata wrote:
> On 10/3/2012 6:01 PM, Endi Sukma Dewata wrote:
>> The tomcat.conf and pkideployment.cfg have been modified to enable
>> the security manager. The catalina.policy has been updated with
>> more specific permissions for PKI.
>>
>> Ticket #223
>
> New patch attached. It will now combine the default Tomcat policy with
> PKI standard policy and custom policy.
New patch attached. It fixes pki.policy and the code to generate
catalina.policy.
ACK
Applied patch, built, installed, and successfully tested a CA running
under the Tomcat Java Security Manager:
* # ps -ef | grep tomcat
pkiuser 28050 1 2 19:15 ? 00:00:17
/usr/lib/jvm/jre/bin/java -classpath
:/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
*-Djava.security.manager
-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy*
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
I noticed one oddity in the '/usr/sbin/tomcat' file where they had
specified*-Djava.security.policy=="${CATALINA_BASE}/conf/catalina.policy"*
rather than
*-Djava.security.policy="${CATALINA_BASE}/conf/catalina.policy"* (used
an "==" rather than an single "="), but when I manually changed this,
and restarted the server, I was still able to successfully request,
approve, and issue another cert.
11:39 p.m.
On 10/26/2012 9:39 PM, Matthew Harmsen wrote:
ACK
Applied patch, built, installed, and successfully tested a CA running
under the Tomcat Java Security Manager:
* # ps -ef | grep tomcat
pkiuser 28050 1 2 19:15 ? 00:00:17
/usr/lib/jvm/jre/bin/java -classpath
:/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
*-Djava.security.manager
-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy*
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
I noticed one oddity in the '/usr/sbin/tomcat' file where they had
specified*-Djava.security.policy=="${CATALINA_BASE}/conf/catalina.policy"*
rather than
*-Djava.security.policy="${CATALINA_BASE}/conf/catalina.policy"* (used
an "==" rather than an single "="), but when I manually changed
this,
and restarted the server, I was still able to successfully request,
approve, and issue another cert.
Yes, single equal sign means we append the catalina.policy to the
standard Java policy (/usr/lib/jvm/jre/lib/security/java.policy). The
double equal signs mean that we use catalina.policy exclusively.
http://download.java.net/jdk8/docs/technotes/guides/security/PolicyFiles....
Pushed to master. Thanks.
--
Endi S. Dewata
4439
days inactive
4463
days old
4 comments
2 participants
participants (2)
-
Endi Sukma Dewata -
Matthew Harmsen